Malware Pre-installed On Your Android Phone?

Mobile operating systems are complex beasts, so it’s no surprise that each new version of Android comes with one or two theoretical security flaws that could, if discovered by hackers before they are patched, spell disaster for unhappy users. Did your smartphone come with malware pre-installed? Read on...

Malware on Your Android Phone?

Guess how many security flaws two researchers with the Kryptowire security consultancy found in factory-fresh copies of 25 Android phones made by 11 different OEMs (vendors) including Asus, ZTE, LG and the Essential Phone; devices distributed by the likes of AT&T and Verizon.

Two? Ten? How about more than three dozen? Thirty-eight, to be exact. These vulnerabilities enabled hackers to do everything from mere mischief – such as triggering random factory resets – to real-time eavesdropping or hoovering up all of a user’s personal data and transmitting it to unknown servers on the Internet. Some of the affected phones include the LG G6, the Essential Phone, the Sony Xperia L1, and the Asus ZenFone 3 Max.

What the heck, Google! Why do you let such sloppy programming get out the door? Oh wait, it's not Google's fault? Then who is to blame?

The thing is, none of the vulnerabilities lay in the Android operating system itself. Instead, they were in apps written or licensed by vendors and carriers and pre-installed by them on the phones sold to consumers. Many of the dozens of apps that come with a phone and are part of its branding happen to be shabby, leaky examples of bad programming. They are egregious betrayals of trust.

"All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box," said Angelos Stavrou, Kryptowire's CEO, at the DEFCON hackers conference where Kryptowire’s research was reported. "That's important because consumers think they're only exposed if they download something that's bad."

In hindsight, it is no surprise that OEM apps – also known as “bloatware” or unnecessary software – are security sieves. These apps are last-minute additions to new hardware platforms, like the ribbon bow that is the final touch on a present. Product launch deadlines must be met, and if time was lost earlier in the development process it can be shaved off at the end by omitting rigorous security testing of bloatware. Who has time or resources for that sort of stuff, anyhow?

AT&T, Verizon, LG Electronics, Motorola, and even startups like Essential, that’s who. It is unforgivable betrayal to ship phones with bloatware that has not been thoroughly vetted and hardened against hackers and malware.

Executives with Essential said the company has already fixed the flaws highlighted at DEFCON after Kryptowire “reached out” to them. LG said it is in the process of rolling out patches. AT&T also said it is issuing patches for its products.

ASUS is aware of the recent ZenFone security concerns raised and is working diligently and swiftly to resolve them with software updates that will be distributed over-the-air to our ZenFone users, " an ASUS spokesman said in a statement. Translation: we are still trying to figure out what to do.

ZTE and Verizon did not respond to media requests for comment. "The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices. Together with Kryptowire, we have reached out to affected Android partners to address these issues," a Google spokesperson said in a statement.

How Bad Are These Flaws?

Nefarious things enabled by flawed bloatware include keylogging of usernames and passwords, captures of screenshots showing users’ bank details and other sensitive data, logging of who a person contacts and what about, and other familiar dirty tricks. But the privileged nature of OEM-installed apps makes them far more dangerous than garden-variety malware.

Pre-installed apps often have higher privileges than apps installed by users. This special privilege can be exploited by malicious apps to do things they cannot do directly, if the pre-installed apps can be subverted via the vulnerabilities discovered by Kryptowire. For instance, pre-installed apps may be able to access protected files on a device.

The vulnerabilities on ASUS's ZenFone 3 Max enable apps to download and install other apps from any source, obtain WiFi passwords, intercept text messages, and make phone calls (perhaps to $5.99 per minute “premium” voice services).

The Essential Phone had a vulnerability that enabled a malicious app to trigger a factory reset that wipes out all user data stored on a phone.

The researchers dug into only 11 different phones, but there are more than 24,000 out there. It would be impossible to exhaustively vet the pre-installed apps on every single make and model. But OEMs aren’t even trying to protect their best-sellers.

"As an end user, there's not much you can do," Stavrou said. "Someone would have to scan and analyze your firmware and find the vulnerabilities." Yikes.

The only silver lining in this story is that most of the vulnerabilities that Kryptowire discovered require the user to download an app that is specially designed to exploit them. So I'll repeat my Android security advice here: If you're going to install an app, make sure it's from the official Google Play Store, and that it already has lots (thousands) of users and positive reviews.

Your thoughts on this topic are welcome. Post your comment or question below...

Most recent comments on "Malware Pre-installed On Your Android Phone?"

My LG k-20 is showing me ads after I unlock my screen. No apps open, just unlocking my phone to use it. No way to get it to stop, because no apps are running - except the underlying firmware. Add T-Mobile to your bloatware providers

Posted by:
Daniel
06 Sep 2018

Samsung is the bid dog in the Adroid world. Unless I'm misreading your article and the info on the Kryptowire site, their phones did not have these issues. Am I right? Or did they just not test any from the largest seller of Android phones?

Posted by:
RandiO
06 Sep 2018

Stavrou said "As an end user, there's not much you can do," BUNK! There is no such thing as an end-user; when it comes to google/android eco-system. We can justify such out-of-the-box gotchas and the subsequent app downloads any way we wish. But to suggest to use the "official Google Play Store" is nothing but a placebo.
IMHO >> Attempting to defend google/android as NOT being the culprit is an outright hypocrisy.
Is it really worth calling ourselves the end-user, when we cannot even admit to ourselves that we really are the product... all for "convenience" sake?
I may not know the correct solution but I can definitely see the problem here.

Posted by:
Mike
06 Sep 2018

@Joan: You're right it must be T-Mobile showing those ads, as I have a K20 Plus from MetroPCS and don't have that problem.

Posted by:
Laurie
06 Sep 2018

While stock Android phones might have fewer issues, the Essential phone, which runs stock Android, is on the list here. "The Essential Phone had a vulnerability that enabled a malicious app to trigger a factory reset that wipes out all user data stored on a phone." It may have fewer vulnerabilities due to the lack of bloatware, but that doesn't mean there aren't any vulnerabilities. It uses a network-connected OS which allows users to download additional software, after all. And operating systems have security holes. How quickly and well these are patched is very important.

There is the benefit with stock Android phones purchased from Google (such as the Pixel,) of regular security updates for a couple of years. Google typically sends security updates monthly. Just like with a PC, users should install these security updates.

There are, however, issues with getting security updates for non-Google Android phones, though. Because each manufacturer has its own modifications to Android, it is up to the manufacturers (and the cellular providers, if a cellular provider branded phone,) to prepare and push those updates. Manufacturers and cell providers alike are notoriously slow to do this. Some manufacturers may push only one update over the life of a phone! The benefit of a stock Android phone from Google is that these monthly security updates will come on time, and the phones are typically supported with these updates for two years.

Regarding bloatware - since bloatware may come from cellular providers as well as from manufacturers, I do not buy cellular provider branded Android phones. Instead, I purchase the FACTORY unlocked version. It really cuts down on the bloatware. (Plus, there is the benefit that it will work with both GSM and CDMA providers.)

At the end of Bob's article, a very big part of the issue is mentioned, which doesn't involve pre-installed bloatware: most of the vulnerabilities involve users installing exploitative apps. Google has worked to greatly improve the quality of apps that are allowed to be available in Play Store with Google Play Protect. So, this is a good reason to only choose apps that are in the Google Play Store, and to check reviews first.

While I like many things about the deeper customization and tweaking abilities users have with the Android OS, I currently use an iPhone. I purchased my first iPhone a little over a year ago after being a long-time Android-only user. I wasn't sure I would like the lack of customization, but it has really turned out to be not a very big deal. iOS does have many nice features, and it does have a certain elegance about it. The "walled garden" may annoy some, but it does lead to better security. Also, the iPhones are supported with security and feature updates far longer than Android phones, even stock Android phones from Google. I do enjoy this support longevity, as I do not like to use a device that is no longer being supported with security updates. I still have an Android phone, but my personal daily driver these days is an iPhone.

Posted by:
mike mitchell
06 Sep 2018

Like Daniel above, 3rd post, I am curious as to where Samsung ended up on this list. Is there an actual list we can go to to view?

Posted by:
mike mitchell
06 Sep 2018

I think this is at least part of this information from the source.
https://www.kryptowire.com/adups_security_analysis.html

Posted by:
Bri
06 Sep 2018

Yeah, i've long suspected this. I've got apps running and chewing up power that i didn't even know were on. ty

Posted by:
Kirill
06 Sep 2018

Bob, first you stated:

"...25 Android phones made by 11 different OEMs (vendors) including Asus, ZTE, LG and the Essential Phone; devices distributed by the likes of AT&T and Verizon"

and then you blamed Google.

How Google can stop all companies you mentioned to add their own garbadgeware to stock Google's Android? I personally had experience with some OEM's "improvements" of Android and that was one of the reasons to switch to a clean Android directly from Google - Nexus, Pixel with subscription for also Google's Project Fi as a mobile carrier and didn't have any problems since. I'd say that it is better to have the only evil Google, considering all its spying.

So, again, I am unpleasantly surprised by your current level of professionalism, Bob. Seriously, it looks... errr... lame. Sorry if it sounds too offensive and personal, but I am with you since The Internet Tourbus and sadly can see difference over years...

EDITOR'S NOTE: You might want to read the article again. I specifically did not blame Google. I did place blame on "AT&T, Verizon, LG Electronics, Motorola..." for their "unforgivable betrayal to ship phones with bloatware that has not been thoroughly vetted and hardened against hackers and malware."

Posted by:
Bantam
06 Sep 2018

Puzzled - if it is not Android but pre-installed apps, why not at least publish the names of those apps or at least the names of known "enabler" apps we punters may unwittingly download? Or is it a secret?

Posted by:
Mark Hansen
07 Sep 2018

I would like to see legislation prohibiting the pre-installation of any apps...failing that require that all of them be able to be completely and totally removed by the user. Sad to have to resort to that, but it would seem to be necessary.

Posted by:
Mat
07 Sep 2018

Sure glad I only use iPhones!! Lol

Posted by:
David Baker
07 Sep 2018

Good info as always Bob. Thank you!

Posted by:
Patty
07 Sep 2018

Makes me long for the "good old days" of phones...maybe even think nostalgically about party lines where the only person you had to be concerned about was the other person who shared your line listening in on your private conversations. Those were the days, my friend... Anyway - enough showing my age. I am with the others....own a Samsung - are they at risk?

Posted by:
DG Blanc
07 Sep 2018

A recent newsletter sang the praises of PC-Matic. Oddly, this newsletter contains ads for PC-Matic. It seems odd that you would give a glowing review to a product and then immediately advertise that same product. Doing so calls into question the credibility of both the PC-Matic review and your own credibility. I am not aware that you have done this before, and I urge you not to do it again.

Posted by:
Jonathan
07 Sep 2018

We too are old enough to remember when land line phones shared a line with another party who could listen in to our conversations!
We'll be sticking with our flip phones, that are just phones, no data. Reading articles like this just firm our resolve ... and I believe some celebrities are now ditching their smart phone in favor of a flip phone so they cannot get hacked. Wow, we are so far behind that we are now ahead of the trend!

Posted by:
Kirill
08 Sep 2018

Bob, I've read the article. I didn't quote where you directly blamed Google.

"What the heck, Google!"

Oops, you're right. That phrase kicked me out of the article and I missed your point. Look like I was still under the impression of your article about PC-Matic.

Moral of the story: If you are online, you're already hacked or will be soon.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.